This Data Processing Agreement (“DPA”) supplements the Terms of Service of Prospea. It applies whenever the customer uses Prospea to process personal data within the meaning of the GDPR.
1. Definitions
The terms “personal data”, “processing”, “controller”, “processor” and “data subject” have the meaning assigned in Article 4 GDPR.
2. Purpose, nature and duration of processing
- Nature: storage, organization, retrieval, sending of messages.
- Purpose: delivery of the sales-prospecting service.
- Categories of data: name, professional contact details, public data collected about targeted businesses.
- Categories of data subjects: customer users, prospects / business contacts.
- Duration: for the term of the contract plus 30 days after termination.
3. Processor obligations
Des Clics aux Clients undertakes to:
- Process data solely on documented instructions from the customer;
- Ensure the confidentiality of persons authorized to process the data;
- Implement the technical and organizational measures described in section 5;
- Assist the customer with their obligations (data-subject requests, DPIAs, notifications);
- Maintain a record of processing activities pursuant to Art. 30.2 GDPR.
4. Further subprocessors
The customer authorizes the use of the subprocessors listed at /subprocessors. Any new subprocessor will be notified by updating that page at least 30 days before production rollout, allowing the customer to object by terminating the contract.
5. Security
- TLS 1.2+ for all communications;
- Encryption at rest for secrets (SMTP credentials, third-party tokens);
- Logical separation and per-user access controls at the database level;
- Logging of admin access and regular rotation of secrets;
- Encrypted daily backups, restore tested at least every six months.
6. Incident management
In case of a personal data breach, we will notify the customer without undue delay and no later than 48 hours after becoming aware of it. The notification will cover the nature of the breach, the categories and approximate number of data subjects, likely consequences and remediation measures.
7. Transfers outside the European Union
Where a subprocessor is located outside the EU, the transfer is covered by the European Commission's Standard Contractual Clauses (decision 2021/914). The list of destination countries is kept up to date at /subprocessors.
8. Return and deletion of data
Upon contract expiration, the customer has 30 days to retrieve their data via the export available in their “GDPR & data” space. After that period, all data is removed from production systems, including backups, within a maximum of 90 days (backup rotation window).
9. Audit
The customer may request, at most once a year and with reasonable notice, a written compliance attestation. Further audits may be conducted at the customer's expense in the presence of an independent auditor bound by confidentiality obligations.
For any question about this DPA: privacy@prospea.co.